As well as utilizing NTLM authentication to authenticate users, you can use client-side certificates to ensure only approved client devices have access to web filter policies. This provides an additional layer of security.

The same certificate is used by all devices. You must download the client certificate from the Smoothwall responsible for Global Proxy requests, and install them on the relevant devices.

Set the Global Proxy devices' internal proxy settings to point to the externally resolvable hostname of the Smoothwall (which resolves to the external IP address of the Smoothwall), and the port number used for the Global Proxy using NTLM authentication policy.

For example: https://mysmoothwall.com/800. Note that this must be on HTTPS and not HTTP.

3.

Add the external address of the Smoothwall to the devices' internal proxy exception lists. This ensures the certificate validation requests are not proxied.

4.

Go to Web proxy > Global Proxy > Settings.

5.

From Device identification, select Client supplied certificate.

6.

Many client devices and applications require the device identification certificate to be password-protected, such as devices running iOS. Before downloading the certificate, you must set the password used.

If a password is required, enter it into the Certificate password box.

7.

Click Download certificate.

8.

Click Save changes.

9.

Copy this certificate into the relevant devices' internal storage, and import it into the browsers.

For a detailed description of supported browsers, and how to import the certificates, see About Global Proxy.

Global Proxy servers which are part of a centrally managed solution should have the Certificate Authority uploaded to them via replication. If this does not happen, you should manually export, then import the Certificate Authority.

Note: This option is recommended for Connect for Chromebooks configurations, where the Chromebook devices are used external to your organization's network.

For those devices where it is not possible to distribute the client-side certificate to each individual network device, such as Chromebooks, you can use a secure URL to identify connecting Global Proxy clients. This is a secure alternative to the No identification (Open proxy) method of device identification — see below.

Set the Global Proxy devices' internal proxy settings to point to the externally resolvable hostname of the Smoothwall (which resolves to the external IP address of the Smoothwall), and the port number used for the Global Proxy using NTLM authentication policy.

For example: https://mysmoothwall.com/800. Note that this must be on HTTPS and not HTTP.

It is not recommended you configure an unsecured (open) proxy as this has security implications. If you configure Global Proxy as an open proxy, device identification for connecting clients, whether by presenting a certificate or via secure URL, is not carried out — although NTLM authentication is still required. Open proxies allow all connection attempts through without device authentication, and can potentially be exploited by users, such as spammers.

Set the Global Proxy devices' internal proxy settings to point to the externally resolvable hostname of the Smoothwall (which resolves to the external IP address of the Smoothwall), and the port number used for the Global Proxy using NTLM authentication policy.

For example: https://mysmoothwall.com/800. Note that this must be on HTTPS and not HTTP.